The Digital Operational Resilience Act (DORA) contains rules designed to strengthen the operational resilience of financial entities operating in the European Union (EU). The legislation takes effect on 17 January 2025. This blogpost will detail out the “need to know” information on DORA based on our research.
Background
As seen during the July 2024 CrowdStrike outage, which affected airlines, banks, professional services firms and a wide array of other companies, incidents at third-party providers have wide-reaching implications. DORA aims to enhance financial institutions’ processes and policies for managing third-party providers, conducting due diligence and responding should a third-party incident occur.
Institutions are increasingly dependent on the services of third parties, such as cloud services and SaaS providers, to deliver digital offerings, which creates new risks for financial institutions and the market more broadly.
Unlike previous regulations, DORA applies to all companies operating in the financial services sector, including traditional and digital banks, e-money and payment institutions, insurance and reinsurance, asset managers, credit institutions and private equity houses. It also holds these organizations accountable for detailing the oversight and management process of critical third-party providers within their ICT risk management frameworks. Financial institutions and businesses worldwide are increasingly reliant on Information and Communication Technology (ICT) to conduct their operations. This dependency, while fostering innovation and improving efficiency, also brings significant risks. Cyber threats, system failures, data breaches, and operational disruptions have become pressing concerns for financial entities. These risks not only threaten individual businesses but also have the potential to destabilize entire financial systems.
When not managed properly, ICT risks can lead to disruptions of financial services offered across borders. This in turn, can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.
This is where the Digital Operational Resilience Act, or DORA, comes into play.
According to a 2023 report by Accenture, cybercrime costs the global economy an estimated $8 trillion annually, and this figure is expected to rise.
In response to these challenges, regulatory bodies across the globe have implemented policies and frameworks aimed at enhancing digital resilience. One such pivotal regulatory framework is the Digital Operational Resilience Act (DORA), introduced by the European Union (EU) to strengthen the operational resilience of the financial sector against ICT-related risks.
DORA is a landmark legislation designed to create a harmonized and standardized approach to managing ICT risks across the EU’s financial landscape. The regulation seeks to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions efficiently. With the increasing complexity of digital threats and the growing interconnectedness of financial networks, the EU recognized the need for a robust regulatory framework that goes beyond traditional cybersecurity measures.
The implementation of DORA will mandate financial entities to adopt comprehensive strategies, policies, and governance structures to mitigate digital operational risks effectively. Financial institutions must also ensure compliance with evolving technological advancements, such as AI-driven risk assessments and blockchain security protocols, which have become integral to safeguarding financial ecosystems.
Introduction
The Digital Operational Resilience Act (DORA) is a regulatory framework introduced by the European Union in 2022. This legislation aims to enhance the digital resilience of financial entities operating within the EU by establishing uniform requirements for ICT risk management. Given the increasing reliance on technology, DORA is designed to ensure that financial institutions can continue to operate securely despite potential cyber threats, technological failures, and operational disruptions.
DORA will come into effect on January 17, 2025, and will apply to a broad range of financial institutions, including banks, insurance companies, investment firms, and ICT third-party service providers. The regulation covers several critical areas, including
- ICT risk management,
- Incident reporting,
- Operational resilience testing,
- Third-party risk management, and
- Information-sharing arrangements.
The European Central Bank has estimated that at least 75% of European financial institutions have been affected by some form of cyber-attack in the past five years, emphasizing the urgent need for structured regulations like DORA. By enforcing a standardized approach across the financial sector, DORA aims to mitigate systemic risks and enhance the overall stability of the EU’s financial ecosystem.
What is ICT?
Information and Communication Technology (ICT) encompasses a wide range of digital and telecommunications technologies that facilitate the processing, storage, and transmission of information. These technologies are more than just internet companies or tech companies.
ICT includes hardware, software, networks, data centers, cloud computing, cybersecurity measures, and other digital tools essential for modern businesses. In the financial sector, ICT plays a crucial role in enabling services such as online banking, electronic payments, trading platforms, and data analytics.
While ICT has revolutionized the financial industry, making transactions faster and more convenient, it has also introduced vulnerabilities. Cyberattacks, data breaches, system failures, and fraud are among the many risks associated with the increasing digitization of financial services.
According to IBM’s 2023 Cost of a Data Breach Report, the global average cost of a data breach reached $4.45 million, a 15% increase over three years.
These challenges highlight the necessity for robust ICT risk management frameworks to protect businesses and consumers from potential disruptions. By integrating stringent ICT governance policies, financial institutions can enhance their resilience against evolving cyber threats and technological failures, ensuring seamless operations and regulatory compliance.
Understanding DORA
The Digital Operational Resilience Act (DORA) is an EU regulation aimed at ensuring the financial sector’s ability to manage and recover from ICT-related risks effectively. DORA establishes comprehensive requirements for financial entities to strengthen their digital resilience and safeguard critical operations against cyber threats, system failures, and technological disruptions.
One of DORA’s key objectives is to create a unified framework for ICT risk management across all EU member states. Unlike previous regulatory measures that addressed digital resilience in a fragmented manner, DORA provides a cohesive set of rules that apply to financial institutions, ICT service providers, and other relevant stakeholders.
By implementing DORA, the EU aims to bolster the financial sector’s ability to prevent, detect, and mitigate digital risks, ultimately enhancing consumer trust and financial stability.
A report by McKinsey & Company suggests that the implementation of DORA will lead to a 40% reduction in operational disruptions caused by cyber incidents over the next decade.
Digital Operational Resilience Testing
A critical component of DORA is the requirement for financial institutions to conduct comprehensive digital operational resilience testing. This ensures that systems, processes, and infrastructure can withstand various cyber threats and operational disruptions. Organizations are mandated to perform periodic testing, including vulnerability assessments, penetration testing, and advanced threat-led penetration testing (TLPT).
Important: These tests simulate real-world cyberattacks to assess the robustness of security defenses and the ability to recover from incidents.
According to a 2023 report by Deloitte, financial entities that conducted routine resilience testing saw a 50% reduction in system downtime during cyber incidents.
DORA’s testing framework ensures that financial institutions can identify weaknesses, improve incident response times, and enhance overall resilience. Financial regulators will require evidence of these tests and their outcomes to ensure compliance and effective digital security management.
For example, in 2022, a major European bank conducted TLPT exercises in collaboration with national cybersecurity agencies to evaluate its “response time to simulated ransomware attacks”. The tests revealed gaps in the institution’s incident response protocol, leading to improved internal security measures and faster containment strategies.
Similarly, in 2023, a global investment firm conducted red teaming exercises, where ethical hackers attempted to breach security defenses using advanced attack techniques. This testing led to the enhancement of endpoint protection systems and real-time threat intelligence sharing across the organization.
Another example includes a payment processing company that implemented disaster recovery drills to ensure the continuity of operations in case of ICT failures. These drills included scenarios such as a data center failure and a Distributed Denial-of-Service (DDoS) attack. As a result, the company reduced its average system downtime by 45% over six months and improved recovery time objectives (RTO) for critical financial transactions.
According to a 2023 report by Deloitte, financial entities that conducted routine resilience testing saw a 50% reduction in system downtime during cyber incidents.
Regular testing ensures that financial institutions can identify weaknesses, improve incident response times, and enhance overall resilience. Financial regulators will require evidence of these tests and their outcomes to ensure compliance and effective digital security management.
By adopting a structured and continuous approach to digital operational resilience testing, financial institutions can proactively mitigate risks, strengthen security measures, and improve their ability to withstand sophisticated cyber threats. The insights gained from these tests contribute significantly to refining security policies and ensuring compliance with DORA’s stringent requirements.
Managing ICT Third-Party Risk
Given the reliance on third-party ICT service providers, DORA introduces stringent requirements for managing external vendor risks. Financial institutions must conduct rigorous due diligence when engaging third-party providers, ensuring that they comply with security standards and contractual obligations. Institutions must maintain a comprehensive register of third-party dependencies, identifying potential risks and outlining contingency plans in case of service disruptions.
Research by PwC indicates that 63% of financial sector cyber incidents stem from vulnerabilities within third-party vendors.
DORA mandates that institutions establish formal agreements, continuous monitoring mechanisms, and risk mitigation strategies to manage third-party risks effectively. By enforcing accountability and compliance, DORA aims to prevent disruptions stemming from external service providers and ensure financial stability.
Information Sharing Arrangements
Collaboration and information sharing play a crucial role in strengthening cybersecurity resilience. DORA encourages financial institutions to participate in information-sharing arrangements to exchange insights on emerging threats, vulnerabilities, and best practices.
By fostering a culture of transparency and cooperation, organizations can collectively enhance their defenses against cyber threats. Information-sharing initiatives enable financial institutions to stay ahead of evolving risks and implement proactive security measures.
Conclusion
The Digital Operational Resilience Act represents a significant step toward safeguarding the EU financial sector against ICT-related risks. By establishing uniform requirements for ICT risk management, incident reporting, resilience testing, and third-party risk oversight, DORA ensures that financial institutions are well-equipped to navigate the challenges of an increasingly digital landscape.
As the January 2025 compliance deadline approaches, financial entities must take proactive measures to align their operations with DORA’s requirements. By embracing digital resilience as a strategic priority, organizations can enhance security, maintain regulatory compliance, and build trust with customers and stakeholders.
References
- IBM (2023). Cost of a Data Breach Report. Retrieved from [https://www.ibm.com/reports/cost-of-a-data-breach]
- Cybersecurity Ventures (2023). Cybercrime Report 2025. Retrieved from [https://cybersecurityventures.com/cybercrime-report-2025]
- Deloitte (2023). Financial Services Resilience Report. Retrieved from [https://www2.deloitte.com]
- PwC (2023). Managing Third-Party Risk in Financial Services. Retrieved from [https://www.pwc.com]
- McKinsey & Company (2023). The Future of Financial Cyber Resilience. Retrieved from [https://www.mckinsey.com]
